Banking Threat Bulletin: December 2025

Regulators, banks, and tech platforms are racing to keep pace as fraud evolves.

From Europe’s landmark PSD3 agreement to record-breaking losses among older Americans, the past year has reshaped the global fight against financial crime. New rules, smarter controls, and emerging technologies signal a turning point for payments security and for how institutions manage risk in an increasingly digital world.

 

---

 

1. EU Reaches Deal on PSD3 With Stronger Fraud Controls

EU lawmakers have reached a political agreement on the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR), strengthening consumer protection against online fraud and tightening rules around authentication, controls, and liability. In a major shift, payment service providers (PSPs) will be required to reimburse victims of bank impersonation scams, while online platforms may be held liable to PSPs for losses if they fail to remove reported fraudulent content. 

PSD3 clearly pushes fraud prevention further upstream and begins to rebalance the liability for APP fraud, where costs have historically fallen largely on customers. With formal adoption and national implementation ahead, the coming months will shape Europe’s payments security framework for years to come— and will set new expectations for how banks manage fraud risk. 

2. Older Americans Lose Record Sums to Financial Fraud

New FTC data shows Americans aged 60+ lost a record $3.4 billion to fraud in 2024, with investment scams driving the largest losses. However, because most fraud goes unreported, the agency estimates the true losses may reach $81.5 billion, underscoring how much scam impact remains invisible.  

Two lessons stand out. First, high-value fraud is increasingly concentrated among older customers, driving regulatory momentum, including the proposed Financial Exploitation Prevention Act, which would allow institutions to delay suspicious transactions. Second, most fraud never reaches official statistics, meaning banks are operating with only partial visibility into the true scale of the problem. 

3. Regulators Escalate Scrutiny of Banks’ Financial Crime Controls

In December, regulators in both Europe and the UK signaled tougher expectations for financial crime oversight. Germany’s BaFin imposed new sanctions and increased supervision on online bank N26 over persistent compliance and risk management weaknesses, while the UK’s FCA fined Nationwide £4.4 million for failures in its financial crime controls, citing inadequate systems to prevent and detect illicit activity. 

As risks rise, regulatory tolerance for gaps in financial crime frameworks is shrinking. Institutions should expect deeper scrutiny of how fraud risks are identified, monitored, and escalated in practice, not just on paper. 

4. Verification of Payee Signals What’s Coming for US Payments  

While Verification of Payee (VoP) is now live in Europe, its relevance is growing in the US as authorized push payment fraud and imposter scams dominate regulatory and industry reporting. The debate over liability between sending and receiving institutions closely mirrors the discussions that led to VoP in Europe and the UK. 

For US banks and fintechs, VoP is a signal of where instant payments are heading. Pre-payment beneficiary validation and stronger account-holder verification are increasingly being treated as core components of fast payments, not optional controls, with implications for product design, liability allocation, and regulatory expectations. 

5. “Know Your Agent” Challenges Bank Risk Management

An American Banker warns that autonomous AI agents could challenge traditional bank compliance frameworks, as controls like Know Your Customer (KYC) were designed for human actors, not digital AI assistants managing finances on users’ behalf. 

As AI agents begin initiating transactions, managing accounts, and interacting with financial systems, the industry may need to move beyond KYC toward a new “know your agent” framework, enabling these tools in a controlled, compliant, and secure manner. 

6. Job Scam Ads on TikTok Funnel Victims Into Payment Fraud

An investigation by The Guardian found that scam job advertisements on TikTok are targeting users in Kenya, using fake employment offers to extract money from victims. The scams exploit trusted social platforms and local economic pressure, with losses often routed through digital payment channels. 

The case underscores the growing complexity of scams, the central role social media platforms play in fraud origination, and how opaque platforms can be as scams originate and spread at scale. While manipulation happens outside the banking perimeter, banks need stronger APP fraud defenses to safeguard customers when these socially engineered payments reach their systems. 

7. Smart Friction Gains Ground as a Scam Control

Banks should rethink friction not as a UX failure but as a targeted fraud control. Smart friction focuses on introducing timely, risk-based interventions only when behavioral signals suggest manipulation or elevated scam risk, rather than slowing down every customer by default. 

Applied selectively, smart friction can disrupt scams without harming legitimate users. The challenge for banks is knowing when and where to intervene, which requires real-time behavioral insight rather than static rules. 

---